Permalink
Browse files

Remove `localsysop` setting

The `localsysop` setting is dangerous and allows an attack where an
attacker constructs a malicious webpage that makes a connection to
`localhost` on the appropriate port and then takes over the server.
Since the dev console can be used from `localhost` by default, this
would include the ability to run arbitrary code on the server computer.

Any server operator who browses the internet on the same computer
where she or he hosts the server (such as some small-time server
operators) would be vulnerable to having their computer taken
over merely by visiting any webpage on the internet under the
control of the attacker.
  • Loading branch information...
cathyjf committed Apr 6, 2013
1 parent ee6d329 commit b290447bb7d76c8193c4f764c178506928d8c928
Showing with 1 addition and 19 deletions.
  1. +1 −11 README.md
  2. +0 −4 config/config-example.js
  3. +0 −4 users.js
@@ -61,7 +61,7 @@ Once your server is up, you probably want to make yourself an Administrator (~)

### config/usergroups.csv

The easiest way to become an Administrator is to create a file named `config/usergroups.csv` containing
To become an Administrator, create a file named `config/usergroups.csv` containing

USER,~

@@ -73,16 +73,6 @@ Once you're an administrator, you can promote/demote others easily with the `/ad

[3]: http://pokemonshowdown.com/forum/register

### localsysop setting

Alternatively, if you do not want to use `config/usergroups.csv`, you can use the following method to become an Administrator. In your `config/config.js` file, you can set `exports.localsysop = true` and then any users who join from `127.0.0.1` will automatically become Administrators, even if they are unregistered.

If you are running Pokemon Showdown on a remote server (such as a VPS), you can still connect from `127.0.0.1` using an SSH tunnel:

ssh user@example.com -L 3000:127.0.0.1:8000 -N

Replace `user` by your user account on the remote computer and replace `example.com` by the host name of the remote computer. Replace `8000` by the port that the server is running on. You can then point your browser to `http://localhost-3000.psim.us` and it will connect to `example.com:8000`, but it will consider you to be connecting from `127.0.0.1`, so you will become an Administrator.


Browser support
------------------------------------------------------------------------
@@ -70,10 +70,6 @@ exports.potd = '';
// https://github.com/LearnBoost/socket.io/issues/609
exports.crashguard = true;

// local sysop - automatically promote users who connect from
// 127.0.0.1 to the highest ranking group (Usually &, or sysop)
exports.localsysop = false;

// report joins and leaves - shows messages like "<USERNAME> joined"
// Join and leave messages are small and consolidated, so there will never
// be more than one line of messages.
@@ -307,10 +307,6 @@ var User = (function () {
users[this.userid] = this;
this.authenticated = !!authenticated;

if (config.localsysop && this.ips['127.0.0.1']) {
this.group = config.groupsranking[config.groupsranking.length - 1];
}

for (var i=0; i<this.connections.length; i++) {
//console.log(''+name+' renaming: socket '+i+' of '+this.connections.length);
emit(this.connections[i].socket, 'update', {

0 comments on commit b290447

Please sign in to comment.